Security News This Week: Bug Bounties Pay But Piracy Doesn't

Share

Security News This Week: Bug Bounties Pay But Piracy Doesn't

Getty Images

This week saw a terrorist attack in Manchester, and reports that presidential son-in-law Jared Kushner is a focus of the FBI's investigation of Russian election interference. And that's just for starters.

In the wake of the Manchester bombing, we looked at why it's so important to think before you tweet, since spreading images of the chaos only amplifies the terrorists' message. The judge who sentenced Silk Road creator Ross Ulbricht should have thought twice before handing down a life sentence, given a new study that shows the highly publicized punishment only increased dark web traffic.

Our up-close view of notorious hacking group APT32 shed some light on their practices. We also took a closer look at the potential downsides of 1Password's new Travel Mode feature. It removes access to the accounts of your choosing when you cross the border, but could raise suspicions in the process. And we took a look at how Russian hackers plant fake info alongside real leaks to sow confusion, disinformation, and distrust in the press.

And there’s more. Each Saturday we round up the news stories that we didn’t break or cover in depth but that still deserve your attention. As always, click on the headlines to read the full story in each link posted. And stay safe out there.

Bug bounties, the payments tech firms offer for anyone who tells them about hackable flaws in their code, are worth every penny. Case in point: Twitter in February paid for and patched a serious flaw submitted by a friendly security researcher that would have allowed anyone to essentially tweet as anyone else, from Justin Bieber to Donald Trump. "By sharing media with a victim user and then modifying the post request with the victim's account ID the media in question would be posted from the victim's account," Twitter wrote in its summary of the fix. In other words, hackers could craft a malicious tweet that would trick Twitter into displaying it to its hundreds of millions of users as if it came from someone else's account. The cost of that fix: $7,560—certainly a lot cheaper than the cost of @realdonaldtrump declaring nuclear war in 140 characters.

The Russian hackers who breached the Democratic National Committee, the Clinton campaign, and the Democratic Congressional Campaign Committee didn't just dump their stolen goods on the web and via WikiLeaks. They also communicated directly with GOP staffers. On Thursday the Wall Street Journal reported that Florida-based Republican political operative Aaron Nevins chatted directly with Guccifer 2.0, the so-called hacktivist who US intelligence agencies and cybersecurity companies have determined was a front for Kremlin-based hacker groups. According to the Journal, Guccifer shared elements of the Democrats' get-out-the-vote strategies in key swing states, which had been stolen from the Democratic Congressional Campaign Committee. The same hacker persona also then contacted Roger Stone, the Trump ally who later tweeted references predicting leaks from Clinton campaign staffer John Podesta.

Piracy doesn't pay—at least not when the subtitles in that kung fu film are designed to execute malicious code on your computer. Security firm Checkpoint revealed this week that four different video players—PopcornTime, VLC, Kodi and Stremio, with more than 200 million users combined—all suffered from security flaws that allowed hackers to use subtitle files to gain unintended privileges and run commands on computers' underlying operating systems. As of Tuesday, at least VLC, the most popular of the affected video players with 170 million users, had patched the bugs Checkpoint identified. But the incident provides another reminder that bittorrent and other filesharing methods can lead people to download and unwittingly run dangerous code on their systems.